apm sso saml
apm sso saml(1) BIG-IP TMSH Manual apm sso saml(1)
NAME
saml - Specify SAML SSO configuration.
MODULE
apm sso
SYNTAX
Configure the saml within the sso module using the syntax shown in the following sections.
CREATE/MODIFY
create saml [name]
modify saml [name]
options:
apm-log-config [[string] | none]
app-service [[string] | none]
artifact-resolution-service-name [name | none]
assertion-validity [integer]
attributes [none | {
{
name [[string] | none],
name-format [ basic | unspecified | uri ],
multi-values {
[string]
},
encrypt [true | false],
encryption-type [aes128 | aes192 | aes256]
}
} ]
auth-context-method [string | none]
description [[string] | none]
encrypt-subject [true | false]
encryption-type-subject [aes128 | aes192 | aes256]
entity-id [string]
export-metadata [no-signing | with-signing]
idp-certificate [string | none]
idp-certificate-session-var [string | none]
idp-host [string | none]
idp-scheme [http | https]
idp-signkey [string | none]
idp-signkey-session-var [string | none]
key-transport-algorithm [ rsa-oaep | rsa-v1.5 ]
location-specific [true | false]
log-level [alert | crit | debug | emerg | err | info | notice | warn]
metadata-cert [[string] | none]
metadata-file [[string] | none]
metadata-signkey [string | none]
name-qualifier [[string] | none]
saml-profiles [add | delete | modify | none | replace-all-with] {
[ecp | web-browser-sso]
}
sp-connectors [add | delete | modify | none | replace-all-with] {
[string]
}
subject-type [email-address | kerberos | transient | win-domain-qualified-name | entity | persistent | unspecified | x509-subject]
subject-value [ string | none ]
edit saml [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list saml
list saml [ [ [name] | [glob] | [regex] ] ... ]
show running-config saml
show running-config saml [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
app-service
non-default-properties
one-line
partition
DELETE
delete saml [name]
DESCRIPTION
You can use the saml component to create and manage SAML SSO objects.
EXAMPLES
create saml my_saml_sso_obj { entity-id "https://myidpvs.big-ip.com/idp" subject-type email-address subject-
value test@mycompany.com idp-certificate default.crt idp-signkey default.key sp-connectors add { google_apps
salesforce }}
Creates a SAML SSO object named my_saml_sso_obj with SP connectors "google_apps" and "salesforce"
create saml my_saml_sso_obj1 { entity-id "https://myidpvs.big-ip.com/idp" subject-type email-address subject-
value test@mycompany.com idp-certificate default.crt idp-signkey default.key sp-connectors add { google_apps
sp_salesforce } attributes {{name "group" multi-values { "PD" "Admin" }} {name "title" multi-values {
"engineer1" }}} }
Creates a SAML SSO object named my_saml_sso_obj1 with attributes "group" and "title".
list saml
Displays list of SAML SSO objects.
delete saml my_saml_sso_obj
Deletes the my_saml_sso_obj SAML SSO object.
OPTIONS
apm-log-config
Specifies log-setting object to associate with this saml. If this value is empty, logging framework uses
log-setting configuration associated with the access profile where sso is used.
app-service
Specifies the name of the application service to which the object belongs. The default value is none.
Note: If the strict-updates option is enabled on the application service that owns the object, you cannot
modify or delete the object. Only the application service can modify or delete the object.
assertion-validity
Specifies assertion validity period in seconds.
artifact-resolution-service-name
Specifies the artifact resolution service to be used by this BIG-IP as IdP to receive artifacts and
resolve them for assertions.
attributes
Specifies list of attributes as part of assertion. Both attribute name and values can be session
variables. Property 'value' is DEPRECATED; "multi-values" must be used instead. "name-format" can be used
to optionally specify format of the attribute name.
create saml my_saml_sso_obj1 { entity-id "https://myidpvs.big-ip.com/idp" subject-type email-address
subject-value test@mycompany.com idp-certificate default.crt idp-signkey default.key sp-connectors add {
google_apps sp_salesforce } attributes {{name "group" multi-values {
"%{session.ldap.last.attr.primarygroup}"}} {name "name" multi-values { "firstName" "lastName" } name-
format basic}} }
Creates a SAML SSO object named my_saml_sso_obj1 with attributes "group" and "name".
auth-context-method
Specifies an authentication context method used by this BIG-IP as IdP when creating assertions. This
attribute can be a session variable.
description
Specifies a unique description for SAML SSO object. The default is none.
encrypt-subject
Set to true if assertion 'Subject' must be encrypted. Default value is false.
encryption-type-subject
Encryption algorithm used to encrypt 'Subject' element in assertion. Default value is aes128.
entity-id
Specifies unique identifier for BIG-IP as IdP. Typically, 'entity-id' is a URI that points to the BIG-IP
virtual server that is going to act as a SAML IdP. In case 'entity-id' is not a valid URL, the idp-host
attribute is required. Examples of valid configuration include "https://mycompany-idp", "idp:my:company",
and "idp.my.company.com"
export-metadata
You can simplify SAML configuration using metadata files. When you use APM as an IdP, you can export
metadata for IdP. You can save metadata to a file and give it to the SP to enable SP to import SP's SAML
configuration or enable SP to use information from the metadata file to configure the IdP. You can choose
to sign metadata while exporting it for better security.
For example:
1. Exporting metadata with signing. This requires metadata-signkey and metadata-cert files.
modify saml my_saml_sso_obj {export-metadata with-signing metadata-file /shared/idp_signed_metadata.xml metadata-cert default.crt metadata-signkey default.key}
2. Exporting metadata with no signing.
modify saml my_saml_sso_obj {export-metadata no-signing metadata-file /shared/idp_metadata.xml}
idp-certificate
BIG-IP includes this certificate in the SAML IdP metadata that you export. After the SAML IdP metadata is
imported on the SP, the SP can use this certificate to verify the signature of assertion sent by this
BIG-IP as IdP.
idp-certificate-session-var
Specifies the certificate this BIG-IP as IdP will use to sign SAML messages including SAML assertion.
This attribute must be specified in session variable format. This attribute is mutually exclusive with
.
idp-host
Hostname of this BIG-IP as IdP. This attribute is required when "entity-id" is not a valid URL.
idp-scheme
Scheme used by this BIG-IP as IdP. This attribute is only used when idp-host is not empty. Default value
is https.
idp-signkey
Specifies the private key used for signing assertion by BIG-IP as IdP.
idp-signkey-session-var
Specifies the signing key this BIG-IP as IdP will use to sign SAML messages including SAML assertion.
This attribute must be specified in session variable format. This attribute is mutually exclusive with
.
key-transport-algorithm
Specifies the key transport algorithm to be used for encrypted attributes, subject-value, or assertion.
Default and recommended value is rsa-oaep. rsa-v1.5 is NOT RECOMMENDED due to security risks associated
with the algorithm, and should NOT be used except for compatibility with older applications.
location-specific
Objects of this class might have location specific attribute(s). Admin can indicate if object is location
specific by setting it to true.
log-level
log-level is deprecated. Instead use apm-log-config to customize log-setting.
metadata-cert
Specifies the certificate with public key of the key pair used in signing the metadata. See export-
metadata for more information on metadata export functionality. This is the certificate to include in
signed metadata when we export metadata. This might or might not be IdP certificate.
metadata-file
Specifies the file to which metadata is saved. See export-metadata for more information on metadata
export functionality.
metadata-signkey
This specifies the key that is used to sign IdP's metadata. See export-metadata for more information on
metadata export functionality.
name-qualifier
Specifies the security or administrative domain of the IdP (this BIG-IP system). This value usually
matches IdP Entity ID.
saml-profiles
List of SAML profiles enabled on this BIG-IP as IdP. Default value is web-browser-sso.
sp-connectors
Specifies list of SP connectors associated with this SAML SSO object. When this SSO object is assigned to
SAML resource then only one entry is allowed for SP connectors. If SAML SSO object is assigned to access
profile then you can add multiple SAML SP connectors.
subject-type
Specifies type of the subject to be used while creating SAML assertion.
subject-value
Specifies the value of the subject to be included inside SAML assertion. This can be a session variable.
For example: %{session.last.logonname}, %{session.ad.last.attr.userEmail}
SEE ALSO
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2012-2013, 2016. All rights reserved.
BIG-IP 2017-11-29 apm sso saml(1)